Fixes missing description and adds new post about OpenSSH hardening
This commit is contained in:
Samuel FORESTIER
committed by
Samuel FORESTIER
Samuel FORESTIER
parent
311760eca8
commit
0f5ee2b5c0
@@ -5,6 +5,7 @@ url: hardening-apache-all-in-one-place
|
||||
layout: post
|
||||
category: Security
|
||||
image: /img/blog/hardening-apache-all-in-one-place.png
|
||||
description: "An unified guide to secure Apache web server"
|
||||
---
|
||||
|
||||
[](/img/blog/hardening-apache-all-in-one-place.png)
|
||||
|
||||
119
_posts/2017-11-20-hardening-openssh-all-in-one-place.md
Normal file
119
_posts/2017-11-20-hardening-openssh-all-in-one-place.md
Normal file
@@ -0,0 +1,119 @@
|
||||
---
|
||||
title: "Hardening OpenSSH, all in one place"
|
||||
date: 2017-11-20
|
||||
url: hardening-openssh-all-in-one-place
|
||||
layout: post
|
||||
category: Security
|
||||
image: /img/blog/hardening-openssh-all-in-one-place.png
|
||||
description: "An unified guide to secure OpenSSH server"
|
||||
---
|
||||
|
||||
[](/img/blog/hardening-openssh-all-in-one-place.png)
|
||||
|
||||
After having hardened _Apache_ during the [previous post over here](/blog/security/hardening-apache-all-in-one-place), we'll take a look at _OpenSSH_.
|
||||
|
||||
> Why ? :thinking:
|
||||
>> 'Cause if you secure your web server, it's good to enforce some "good" rules on your SSH server too, unless securing your web server would be pointless :grinning:
|
||||
|
||||
### Content
|
||||
|
||||
In order to set up a "hardened" _OpenSSH_, just edit your `/etc/ssh/sshd_config`, after **having backup'ed your current configuration** (`cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup`), and paste the following (please, **do adapt it to what you actually need / want**) :
|
||||
|
||||
{% highlight config %}
|
||||
# You should set another port here
|
||||
Port 22
|
||||
Protocol 2
|
||||
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 1024
|
||||
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
LoginGraceTime 120
|
||||
PermitRootLogin no
|
||||
StrictModes yes
|
||||
|
||||
RSAAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
# Should be set to `no`
|
||||
PasswordAuthentication yes
|
||||
|
||||
IgnoreRhosts yes
|
||||
RhostsRSAAuthentication no
|
||||
HostbasedAuthentication no
|
||||
|
||||
PermitEmptyPasswords no
|
||||
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
X11Forwarding no
|
||||
AllowTcpForwarding no
|
||||
|
||||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
UseDNS yes
|
||||
UsePAM yes
|
||||
AllowGroup ssh
|
||||
MaxAuthTries 3
|
||||
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
{% endhighlight %}
|
||||
|
||||
Once you have adapted and paste the content above, you'll have to get rid of the moduli the less secure.
|
||||
In order to achieve this, please copy / paste the _BASH_ snippet below (taken and one-line'd from [here](https://stribika.github.io/2015/01/04/secure-secure-shell.html)) :
|
||||
|
||||
{% highlight bash %}
|
||||
cd /etc/ssh/
|
||||
if [[ -e ./moduli ]]; then cp moduli moduli.backup && awk '$5 > 2000' moduli > moduli.tmp; if [[ $(wc -l moduli.tmp | cut -d ' ' -f 1) -ne 0 ]]; then mv moduli.tmp moduli; else echo "No secure Moduli available..."; fi; else ssh-keygen -G moduli.all -b 4096 && ssh-keygen -T moduli.safe -f moduli.all && mv moduli.safe moduli && rm moduli.all; fi
|
||||
{% endhighlight %}
|
||||
|
||||
Let's do the same with your keys (**:warning: DANGEROUS OPERATION :warning:**) :
|
||||
|
||||
{% highlight bash %}
|
||||
rm ssh_host_*key*
|
||||
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
|
||||
{% endhighlight %}
|
||||
|
||||
Now, you have to manually add the sessions that will have the right to connect through SSH :
|
||||
|
||||
`(# addgroup ssh)`
|
||||
`# usermod -G ssh <yourSession>`
|
||||
|
||||
Only if you went through all the previous actions correctly, you can check your _OpenSSH_ configuration with :
|
||||
|
||||
`# sshd -t`
|
||||
|
||||
If it's okay too, you may now reload the SSH daemon :
|
||||
|
||||
`# service ssh reload`
|
||||
|
||||
Now **DON'T CLOSE YOUR CURRENT REMOTE SESSION**, and try to open a new one :wink:
|
||||
|
||||
Also, if everything is still okay, you can delete the old backups !
|
||||
|
||||
`# rm {sshd_config,moduli}.backup`
|
||||
|
||||
### Sources
|
||||
|
||||
* Default `sshd_config` automatically generated by _OpenSSH_
|
||||
|
||||
* [Hardening OpenSSH](https://dev.gentoo.org/~swift/docs/security_benchmarks/openssh.html)
|
||||
|
||||
* [OpenSSH Security and Hardening](https://linux-audit.com/audit-and-harden-your-ssh-configuration/)
|
||||
|
||||
* [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
|
||||
|
||||
* [CryptCheck](https://cryptcheck.fr/)
|
||||
BIN
img/blog/hardening-openssh-all-in-one-place.png
(Stored with Git LFS)
Normal file
BIN
img/blog/hardening-openssh-all-in-one-place.png
(Stored with Git LFS)
Normal file
Binary file not shown.
Reference in New Issue
Block a user